1. Field of the Invention
The present invention relates to card issuing systems, card issuing servers, card issuing methods, and programs, in particular, to a card issuing system capable of efficiently preventing unauthorized access to an IC chip, a card issuing server, a card issuing method, and a program.
2. Description of the Related Art
In recent years, a technique of writing a card number of a card issued by a service provider such as a financial institution, type of service that can be used by the relevant card, and the like to an IC chip mounted in a portable telephone and the like thereby allowing the portable telephone mounted with the IC chip to be used similar to the card issued by the service provider is realized. Normally, the IC chip has tamper-proof property, and the data written on the IC chip is securely held. In order to make access to or write data to the IC chip holding secure information, a system for accessing the IC chip is desirably built or information for accessing the IC chip is desirably disclosed. To this end, a card issuing representative makes access to or writes data to the IC chip upon request of the service provider.
When accessing the IC chip mounted on the portable telephone and the like through a network, a request from a client applicant controlling the IC chip is desired. Therefore, in order to access the IC chip and issue a card, mutual authentication is desired among three parties, the card issuing representative, the service provider, and the client applicant. The authentication among the three parties can be realized using a one-time password, and the like. The authentication using the one-time password includes the following methods.
First, after the authentication between the client applicant of the portable telephone and the server of the service provider is carried out, mutual authentication is carried out between the server of the service provider (hereinafter referred to as service providing server), and the server of the card issuing representative (hereinafter referred to as card issuing server). The card issuing server notifies the one-time password (token) for authenticating a request from the client applicant to the client applicant of the portable telephone through the service providing server. The card issuing server then can specify the client applicant of the portable telephone mounted with the IC chip to which the card information is to be written. The client applicant of the portable telephone notifies the notified token to the card issuing server in time of transmission of the request to the card issuing server, and the card issuing server performs authentication of the client applicant of the portable telephone by verifying the notified token.
In the above method, the authentication of the client applicant can be performed only in time of transmission of the request from the client applicant. The token may be acquired off-line in advance, but in this case, the holding period of the token in the card issuing server becomes long, and thus the load on the system increases. In order to solve such issue, a technique of realizing the mutual authentication among the three parties using an authentication license generated based on individualizing information transmitted from the client applicant is disclosed (e.g., Patent Document 1). In Japanese Patent Application Laid-Open No. 2006-246015, the service providing server, which is transmitted with the individualizing information from the client applicant, generates the authentication license, and the generated authentication license is transmitted from the client applicant to the card issuing server. The card issuing server verifies the transmitted authentication license to perform authentication of the client applicant, the portable terminal, and the service providing server.
[Patent document 1] Japanese Patent Application Laid-Open No. 2006-246015